Security advisory: High Assurance Boot (HABv4) bypass
=====================================================
The NXP i.MX53 System-on-Chip, main processor used in the USB armory Mk I board
[1] design, suffers from vulnerabilities that allow bypass of the optional High
Assurance Boot function (HABv4).
The HABv4 [2] enables on-chip internal boot ROM authentication of the initial
bootloader with a digital signature, establishing the first trust anchor for
further code authentication.
This functionality is commonly known as Secure Boot [3] and it can be activated
by users who require authentication of the bootloader (e.g. U-Boot) to further
maintain, and verify, trust of executed code.
Quarkslab reported [4] to NXP, and subsequently to Inverse Path, two different
techniques for bypassing HABv4 by means of exploiting validation errors in the
SoC internal boot ROM [5], which are exposed before bootloader authentication
takes place.